Abstract: Digital communication messages processed by each specific one of a plurality of client computers are tracked and indexed. A query made by a first client computer against a base of digital communication messages of the organization is received by the client computers. The indexed communication messages are searched based on the query, and a search result is obtained. Relevance between the query and the search result is determined. Users operating client computers are prompted to indicate whether to respond to the query responsive to determining that the relevance meets a criterion. An indication to respond to the query is received by one or more client computers of the plurality. One or more responses are generated by the one or more client computers and transmitted to the first client computer.

Abstract: Digital communication messages processed by each specific one of a plurality of client computers are tracked and indexed. A query made by a first client computer against a base of digital communication messages of the organization is received by the client computers. The indexed communication messages are searched based on the query, and a search result is obtained. Relevance between the query and the search result is determined. Users operating client computers are prompted to indicate whether to respond to the query responsive to determining that the relevance meets a criterion. An indication to respond to the query is received by one or more client computers of the plurality. One or more responses are generated by the one or more client computers and transmitted to the first client computer.

Abstract: A system and method are disclosed for deploying applications to end point devices. The applications are obtained from a marketplace that checks the applications and packages them for endpoint use according to certain policies. Packaging an application includes compiling or assembling and linking the application, possibly with a framework and possibly with a binding token, which can be a device binding token and/or a user binding token. The application is loaded onto an endpoint device and if the application is bound to the device and the user is allowed to use the application, the application is enabled to be used on the endpoint device. A gateway between the endpoint device and an authentication server helps to authenticate the user. The gateway also manages data transfers between the endpoint device and a data server according to a selected protocol.

Abstract: A system and method are disclosed for deploying applications to end point devices. The applications are obtained from a marketplace that checks the applications and packages them for endpoint use according to certain policies. Packaging an application includes compiling or assembling and linking the application, possibly with a framework and possibly with a binding token, which can be a device binding token and/or a user binding token. The application is loaded onto an endpoint device and if the application is bound to the device and the user is allowed to use the application, the application is enabled to be used on the endpoint device. A gateway between the endpoint device and an authentication server helps to authenticate the user. The gateway also manages data transfers between the endpoint device and a data server according to a selected protocol.

Abstract: A computer system receives, from a user device, a request to access a resource within a network of an organization and receives access credentials associated with an application, a user and the user device. The computer system identifies an application identifier, a user identifier and a device identifier and determines whether the combination of these identifiers satisfies an access policy. If the combination of application identifier, user identifier and device identifier satisfies the access policy, then the computer system grants the application access to the resource within the network of the organization.

Abstract: Multiple apps of an ecosystem on a computer securely exchange encrypted data according to an information control policy of an enterprise, without allowing unauthorized access from outside of the ecosystem. An ecosystem agent creates an ecosystem directory, which contains policy information and identification information concerning each specific app in the ecosystem, including the ecosystem agent. Each ecosystem app generates an asymmetric key pair, the public key of which it shares only with apps in the ecosystem through the directory. The ecosystem agent's private key is used to encrypt the directory. Data is securely communicated between apps in the ecosystem, by encrypting and decrypting messages and data objects with the appropriate ecosystem app keys. Each specific app in the ecosystem complies with enterprise information control policy. Ecosystem apps can read a policy from the directory, and receive policy updates from the enterprise.

Abstract: A computer-implemented method for providing secure mobile email communications is described. At least one application programming interface (API) of a native email client is hooked in order to transmit data securely via email. The native email client is native to an operating system of the mobile device. An email originating from a registered application is detected, via the hooked API. The email includes the data to transmit securely. The registered application is registered in a registry according to a mobile application authentication procedure. The registry includes a plurality of registered applications authenticated according to the mobile application authentication procedure.

Abstract: A web browser that includes a network policy enforcement unit, a storage policy enforcement unit, and an ancillary policy enforcement unit is disclosed. The network policy enforcement unit controls communications between application logic of a web application and data communication APIs. The storage policy enforcement unit controls access between the web application logic and persistent storage APIs. The ancillary policy enforcement unit controls user authentication of the web application logic.

Abstract: A computer-implemented method to revoke an application is described. The processor monitors for a revocation condition. Upon detection of the revocation condition, the process also generates a command for a framework of a managed application to revoke the managed application.

Abstract: A computer-implemented method for providing secure mobile email communications is described. At least one application programming interface (API) of a native email client is hooked in order to transmit data securely via email. The native email client is native to an operating system of the mobile device. An email originating from a registered application is detected, via the hooked API. The email includes the data to transmit securely. The registered application is registered in a registry according to a mobile application authentication procedure. The registry includes a plurality of registered applications authenticated according to the mobile application authentication procedure.

Abstract: A computer-implemented method for establishing secure mobile communications is described. A virtual private network (VPN) between a mobile device and a server is established. A transmission of at least a portion of data between a first application and the server is blocked. It is determined whether the first application on the mobile device is a trusted application. Upon determining the first application is an untrusted application, a transmission of at least a portion of data between the untrusted application and the server continues to be blocked.

Abstract: A computer system receives, from a user device, a request to access a resource within a network of an organization and receives access credentials associated with an application, a user and the user device. The computer system identifies an application identifier, a user identifier and a device identifier and determines whether the combination of these identifiers satisfies an access policy. If the combination of application identifier, user identifier and device identifier satisfies the access policy, then the computer system grants the application access to the resource within the network of the organization.

Abstract: A system and method are disclosed for deploying applications to end point devices. The applications are obtained from a marketplace that checks the applications and packages them for endpoint use according to certain policies. Packaging an application includes compiling or assembling and linking the application, possibly with a framework and possibly with a binding token, which can be a device binding token and/or a user binding token. The application is loaded onto an endpoint device and if the application is bound to the device and the user is allowed to use the application, the application is enabled to be used on the endpoint device. A gateway between the endpoint device and an authentication server helps to authenticate the user. The gateway also manages data transfers between the endpoint device and a data server according to a selected protocol.

Abstract: Multiple apps of an ecosystem on a computer securely exchange encrypted data according to an information control policy of an enterprise, without allowing unauthorized access from outside of the ecosystem. An ecosystem agent creates an ecosystem directory, which contains policy information and identification information concerning each specific app in the ecosystem, including the ecosystem agent. Each ecosystem app generates an asymmetric key pair, the public key of which it shares only with apps in the ecosystem through the directory. The ecosystem agent's private key is used to encrypt the directory. Data is securely communicated between apps in the ecosystem, by encrypting and decrypting messages and data objects with the appropriate ecosystem app keys. Each specific app in the ecosystem complies with enterprise information control policy. Ecosystem apps can read a policy from the directory, and receive policy updates from the enterprise.

Abstract: Mechanisms for storing and searching a hierarchy of policies and associations thereof are disclosed which may be particularly useful for implementing security protocols, such as, but not limited to Internet Protocol security (IPsec). For example, a hierarchy of policies is stored in a search priority order in an associative memory, with each association of a particular policy stored higher in the search priority than its associated policy and after any other policy. Therefore, a lookup operation on the associative memory will identify a matching association, if one, else its matching policy. A match of a policy instead of an association may result in a corresponding association being added in the appropriate location. For IPsec implementations, the lookup word is typically derived from the packet, with this packet being typically processed based on the identified policy or association.

Abstract: A method and apparatus are provided for processing a data packet. Policy data that specifies nested encapsulation may be identified based upon one or more attributes of the data packet. Based upon first policy data that specifies two or more encapsulations to be applied to a data packet, second policy data may be generated that specifies nested encapsulation to be applied to the data packet.

Abstract: The invention-consists of a system that examines consumer data in the form of subscriber traffic, populates databases, and targets advertising to consumers based on those databases. For example, an Internet service provider, cable television provider, wireless service provider, or other party who has access to consumers' Internet data traffic, voice traffic, or video traffic could use the invention. In such a case, the user of the invention would be able to market targeted advertisements, advertisement targeting services, or subscriber information. The targeted advertisements could be delivered over the same data network, a different data network, or even a completely different media, including but not limited to: television, pay-per-view video or print.

Abstract: Multiple branch operations using one or more associative memories are performed, which may be of particular use for, but is not limited to implementing security classification and access control lists. One embodiment generates a first lookup value including a first branch search level indication. A first lookup operation is performed on a set of associative memory entries based on the first lookup value to identify a first associative memory result, with each of associative memory entries including a branch level indication. The associative memory result is used to identify an adjunct memory result associated with a second branch level indication. A second lookup value is derived based on the second branch level indication. A second lookup operation is then performed on the associative memory entries based on the second lookup value to identify a second associative memory result.

Abstract: Mechanisms for storing and searching a hierarchy of items are disclosed which may be particularly useful for implementing security policies and security associations, such as, but not limited to Internet Protocol security (IPsec). A hierarchy of items is stored in a search priority order. Multiple element definitions and groups of elements are identified. Representations of the element definitions and elements are stored in a prioritized searchable data structure in decreasing search priority such that representations of each particular element definition is stored after representations of a set of particular elements associated with the particular element definition and before representations of lower priority element definitions and their associated elements. The element definitions may include Internet Protocol security policies and the elements may include Internet Protocol security associations. The searchable data structure may include an associative memory or a plurality of associative memory entries.